AnsweredAssumed Answered

Add Strict-Transport-Security Header to Web Tier

Question asked by Todd Brown on Nov 28, 2016
Latest reply on Feb 27, 2018 by Jay Guillette

We just had a pen test performed which identified the missing header Strict-Transport-Security as an issue.  How do we add this to our web-tier presence?

 

The application did not make use of the Strict-Transport-Security header to prevent SSL-stripping attacks.

 

Users may be victim to SSL-stripping man-in-the-middle attacks, causing session details and potentially sensitive
information to be sent over the network in cleartext. Client network traffic may also be potentially manipulated. In
order to exploit this flaw, an attacker would likely need to be able to intercept network traffic between a client and
server.

 

Since the world wide web consists of a mix of HTTP and HTTPS sites, it is often easy for attackers to conduct man-inthe-
middle downgrade attacks whenever users transition from an unencrypted (HTTP) site to an encrypted (HTTPS)
site. In these attacks, references from an HTTP site to an HTTPS are replaced with HTTP links. From there, an
attacker can intercept and translate requests to and from HTTP and HTTPS and provide users with little indication
that their traffic is being intercepted. A tool which implements many forms of this attack is sslstrip SSLStrip
[SSLSb].

 

In order to mitigate these attacks, the IETF the Strict-Transport-Security header HTTP Strict Transport
Security [HSTS], which instructs browsers to cache information about a site's SSL/TLS support. Once cached,
browsers which implement support for this header will refuse to access the site over unencrypted links in the future
(until a predefined time-out).

 

Reproduction:
The following response headers demonstrate the lack of the Strict-Transport-Security header:

 

curl -ki https://xxx.xxx.xxx.xxx/console-selfservice/


HTTP/1.1 200 OK
Cache-Control: no-cache
Date: Tue, 01 Nov 2016 15:54:36 GMT
Pragma: No-cache
Transfer-Encoding: chunked
Content-Type: text/html;charset=UTF-8
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: console-selfservicejsessionid=
K2yWYY6cZZQlnvn5hHjVTq1NvSnf6Sy1hTh32T2LnYGR2n73Vj3t!-1655169621;
path=/console-selfservice; secure; HttpOnly
X-Powered-By: Servlet/3.0 JSP/2.2
X-Frame-Options: SAMEORIGIN

Outcomes